Analysts who are content experts can create ESA Correlation rules that generate alerts. When a rule is more complex than what can be specified in the ESA Rule Builder, they can write advanced Event Process Language (EPL) rules. After the ESA rules are deployed and the alert criteria is met, ESA Correlation-server forwards the raw alerts to Respond-server.
In NetWitness Platform version 11.4 and later, to prevent overwriting future customizations in the Respond normalization scripts, add any custom logic to the custom_normalize_<alert type>.js files. The custom normalization script files have a custom_normalize prefix and are located in the /var/lib/netwitness/respond-server/scripts directory:
To Configure Custom Respond Server Alert Normalization:
- Open the custom_normalize_core_alerts.js file.
The normalizedAlert object has been broadcasted, which already comes through the basic parsing logic flow where some of the meta values have been copied to normalizedAlert from headers and rawAlert.
- Populate The normalizedAlert object with the custom meta values that are not covered in the basic parsing logic:
Add your custom logic below the line: var normalized = Object.assign(normalizedAlert);
The headers parameter has very few attributes like:
The important parameter is rawAlert, which has an embedded events object, which is an array. It is basically the list of events associated with the alert. The events object has all meta keys governed from the Concentrator. Here are some example meta keys:
The normalized object also has an embedded events object, which is an array.
- Iterate through each item of the normalized.events and rawAlert.events and then copy the custom meta attributes from the rawAlert.events to the normalized.events.
The following example shows how to add custom meta keys to the custom_normalize_core_alerts.js file.
The metaKey1 and metaKey2 meta keys are now assigned meta keys, which you can view in the NetWitness Platform user interface.
When customizing normalization script files, you can also look at the built-in Respond normalization script files for reference, such as normalize_alerts.js.